WLS Services Brochure March 2013


Published on

The WLS value proposition is:
-Extensive IT business experience and capability
-Demonstrated IT risk and compliance delivery
-Proven commercial experience with practical perspectives
-Low overhead compared to larger service providers results in a more competitive service
-Flexibility in service provision to reflect your business budgetary and resource requirements

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WLS Services Brochure March 2013

  1. 1. IT Business Risk and Compliance ServicesMike WrightMobile +61(4) 17 044 622Email: mike@wrightlane.com.au 1 | P a g eHere are some IT Compliance questions you may want to consider:1. As a business project sponsor or project manager for an IT project, doyou need to ensure it is on track?2. Do you want to benchmark the maturity of your ITIL servicemanagement shop?3. Do you want to better manage IT risk in your organisation?4. How comfortable are you with your Website management andcontrols?5. Are your IT policies current and when were they last reviewed?6. Has your company outsourced part, or all, of your IT Function? If so,is it working?7. Does your company adequately govern IT project investment andrealise the benefits?8. Does your Internal Audit department need to assess your ITenvironment but cant justify a full-time IT Audit resource?9. Does your business or IT department require support for a newapplication or service but is not sure how to develop a RFI or RFP?If the answer is yes, read on, Wright Lane Services can be of help!Mike Wright has extensive and proven IT business riskand compliance capability with major internationalcorporations such as Qantas (Australia) and Cable &Wireless, Sainsbury and Esso Petroleum (UK).The value proposition is: Extensive IT business experience and capability Demonstrated IT risk and compliance delivery Proven commercial experience with practical perspectives Low overhead compared to larger service providers results in a morecompetitive service Flexibility in service provision to reflect your business budgetary and resourcerequirements
  2. 2. IT Business Risk and Compliance ServicesMike WrightMobile +61(4) 17 044 622Email: mike@wrightlane.com.au 2 | P a g e1. As a business project sponsor or IT project manager for an IT project, do you need to ensure its on track?There are a number of IT application related reviews or Healthchecks that can be undertaken depending onthe development phase of the project or system:Project Management reviews includes the set-up of the project team and validates that adequateproject processes are in place,Systems Readiness reviews prior to implementing an application reviews applications controls,adequacy of testing and business readiness,Post-Implementation reviews (PIR) evaluates business feedback and allows the project team tofocus on what is needed to successfully close the project,Applications controls review evaluates an application‘s availability, security, integrity &maintainability including the underlying manual business processes necessary from a controlsperspective.Approach and DeliverablesA series of interviews, with both IT and business stakeholders, areundertaken to ensure that the intended project objectives areagreed and are aligned to meet the business needs.The project management governance model is reviewed and theadequacy of procedures for the maintenance, recovery and dataintegrity is verified.Verify that potential project risks have been identified and thatmitigation plans are in place.The findings and any issues will be discussed with management.Practical recommendations are made in consultation, highlightingpractices that are currently being done efficiently and effectively aswell as those areas that may require improvements. Agreed actionswill be included in a final report following this consultation process.2. Do you want to benchmark the maturity of your ITIL service management shop?Based on the internationally recognised best practice ISACA CobiT Guide for Services Managers, CobiT focuses onwhat should be addressed to ensure IT controls, while ITIL provides best practices describing how to plan, designand implement effective service management capabilities. When used together, the power of both approaches isamplified providing an effective way to benchmark and achieve improvement supported by CobiT’s controlobjectives and practices.Approach and DeliverablesInterviews with IT & business stakeholders and the suppliers providing the outsourcedservice allow the current service management environment to be documented.The current business and supplier service roles and responsibilities are then evaluatedagainst ITIL and Cobit guidelines.A capability assessment using the CobiT maturity model for ITIL V3 processes is used tobenchmark the ITIL processes that management wants to review. It’s recommendedthat service level agreement management and performance monitoring is alwaysundertaken.A benchmark maturity report is produced using the traffic light approach with arecommended Implementation Action Plan agreed with management
  3. 3. IT Business Risk and Compliance ServicesMike WrightMobile +61(4) 17 044 622Email: mike@wrightlane.com.au 3 | P a g e3. Do you want to manage IT risk better in your organisation?The ISACA Risk IT framework is about IT risk, but more importantly, business risk related to the use of IT. Theframework uses a Top Down business objective and Bottom up Generic IT risk scenarios which can be used to createan IT Improvement Program or alternatively slot into your existing ERM framework such as COSO or ISO 31000. There’stwo alternative approaches:I) Full Risk IT Implementation to Create an Ongoing IT Risks Framework for Your Organisation.To fully implement the Risk IT framework is a significant program of work and the objective is to enable your enterpriseto identify and manage all significant IT risk types by providing an end-to-end, comprehensive view of all IT relatedrisks.Approach and DeliverablesThis approach to fully implement the Risk IT framework involves thefollowing:1. Define Scope of Risk analysis. Determines top strategic businessobjectives and an oversight of IT. Determines initial scope,initially start with Top 5 Business and Top 5 IT Risks.2. Collect data. Interview key business and IT stakeholders andavailable material. Obtain IT incident & audit reports, changelogs, risk reports and feedback on IT trend analysis andregulatory requirement changes.3. Identify common risk factors and cluster interrelated events4. Estimate IT risk. Apply risk tolerances for determining riskresponse.5. Identify risk response options. Review findings with by CIO, CROand/or relevant business representatives.6. Review the analysis. Draft interim report from findings.7. Reporting. Issue initial draft report for discussion and review,seek management feedback and agree an ongoing IT riskongoing Continuous Improvement Program to feed into the ERMII) Risk IT Lite to Develop a One-Off Continuous Improvement ProgramA simpler alternative is to work with both the business and IT management using elements of the Risk ITframework to conduct a Risk IT assessment and create a continuous improvement program.Approach and DeliverablesThis Risk IT Lite approach uses elements of the Risk IT framework and involves the following:1. Top-Down Business Review - Input from business representatives on areas and assets totake into account Top 5 Business and Top 5 IT Risks and feedback on frequent IT events.2. Bottom-Up IT Department Risk Review - Obtain IT Risk Register, incident & audit reports, change logs,former risk reports and feedback on IT trend analysis.3. Analyse Review Results - Review IT Department Risk Register and discussion with IT senior management.Findings are reviewed with CIO & CRO and/or relevant business representatives to agree IT risk rating andresponse.4. Reporting - Issue initial IT Risk Continuous Improvement plan to key stakeholders (via email) and amenddraft report given IT senior management feedback given senior management feedback
  4. 4. IT Business Risk and Compliance ServicesMike WrightMobile +61(4) 17 044 622Email: mike@wrightlane.com.au 4 | P a g e4. How comfortable are you with your Website?The scope of this review assesses the existing website against known best practice and provides acontrols related compliance view of the existing website environment. The purpose of this work is toidentify any areas of the website for enhancement in order to have a more cost effective, sustainableand secure website environment.Approach and DeliverablesReview and map the existing website environment against best practice standards including theWeb-based applications in use and the data they use, the controls in place such as applicationdevelopment standards including data validation, change management, and testing. Websiteaccountabilities for access administration, performance monitoring are reviewed.Assess whether adequate processes exist for the management of the existing websiteenvironment in regard to a Data Management Strategy and benchmark the existing websiteinfrastructure against the latest multi-layered best practice standards.Create a report with recommendations for consideration including the deficiencies of the existingwebsite and a detailed plan of issues identified during the review.5. Are your IT policies up-to-date, when were they last reviewed?IT best practice recommends that management review IT policies periodically to ensure they reflect newtechnology, changes in the environment such as regulatory compliance and significant changes inbusiness processes in exploiting information technology for competitive gain. As such, a practicalalternative given the constraints on in-house IT compliance resources is to outsource this activity andWright Lane Services is in a position to fulfill this requirement.Approach and DeliverablesCan either review and revise existing IT policies benchmarked againstbest practice or supply a new set of IT policies.Evaluate whether the IT policies reflect the existing IT environmentincluding new technology and threats.Evaluate whether the IT Policies reflect the latest governmental, legaland regulatory requirements.Evaluate whether the IT Policy is integrated with the overallcorporate policies such as HR and Procurement.Recommend an IT Policy framework including the individual ITpolicies themselves.Recommend a strategy on how best to implement the IT policies tobest affect once agreed by management.
  5. 5. IT Business Risk and Compliance ServicesMike WrightMobile +61(4) 17 044 622Email: mike@wrightlane.com.au 5 | P a g e6. Has your company outsourced part or all of your IT Function? If so, is it working?The objective of carrying out an outsourcing review is to determine whether:The risks associated with outsourcing, such as continued availability of services, acceptable levels of servicesand security of information are adequately and effectively mitigated through appropriate controls that areimplemented and functioning.The objectives of outsourcing are being achieved.The IT strategy has been suitably modified to make best use of outsourcing.The outsourcing of IT work involves assessing outsourced risk in relation to software development, applicationsupport & maintenance and infrastructure management services. It must look at the total picture. Outsourcing hasmany benefits but it also needs constant monitoring to evaluate both the technical and business aspects, asnecessary, to assess the health of the outsourcing and takes necessary corrective or improvement actions.Approach and DeliverablesThe review would typically involve reviewing the following:o Services Agreement and Statement of Worko High-level monitoring, connectivity and network securityo Data securityo Project monitoring and governanceo Compliance with regulatory requirementso Benefit measuremento Customer satisfactiono Impact on IT strategyCreate a report with recommendations for consideration includingthe deficiencies of the existing website and a detailed plan of issuesidentified during the review.7. Does your company adequately govern IT project investment and realise the benefits?Poor IT project management governance of IT investment can occur due to a lack of project business cases andaccountability for benefits realisation. This can be because no formal enterprise wide business justification processexists. Therefore the following approach needs to be given the remit by senior management to establish thefollowing process facilitated by IT but owned by the business unit sponsors.Approach and DeliverablesThe following steps would be undertaken as per ISACA Val-IT best practice program template:Step 1—Review IT project Initiation document (PID) with all the relevant data followed byanalysis of the data concerning:o Step 2—Alignment analysiso Step 3—Financial benefits analysiso Step 4—Non-financial benefits analysiso Step 5—Risk analysisStep 6 —Appraisal and optimisation of the risk/return of the IT-enabled investmentStep 7 —The Project Business Case Evaluation would be agreed with IT and lodged with theIT PMO by the Project Manager. Any significant scope changes would be updated to the business
  6. 6. IT Business Risk and Compliance ServicesMike WrightMobile +61(4) 17 044 622Email: mike@wrightlane.com.au 6 | P a g ecase and any benefits realisation impact reviewed.8. Does Your Internal Audit Department need to assess the IT environment but cant justify a full-time IT Auditresource?Wright Lane Services can provide part time IT audit compliance and IT risk consultancy to supplement existingcapability and capacity with a fullsuite of IT audit services andrequirements.Approach and DeliverablesPerform IT Auditsidentified on existingInternal Audit schedule.Perform an IT RiskAssessment to create a3- Year IT Audit Plancustomised to meet yourIT environment coupledwith the strategicbusiness objectives ofyour organisation.Perform one off seniormanagement requestssuch as investigationsrelated to IT applications.Project Healthchecks.9. Does the business or IT department require support for a new application or service but is not sure how todevelop a RFI or RFP?Wright Lane Services can provide the necessary support to interface between IT and the business to ensure that thebusiness requirements for a proposed IT application provision are understood (and in some cases, justified) as partof the RFI & RFP preparation and analysis. This starts by verifying whether a simpler in-house solution already existsand if not, ensuring the business understand and will realise the benefits of a turnkey outsourced supplier solution.Approach and DeliverablesThe steps involved include:1. Identifying the Need2. Development of Specification?3. Selecting the Procurement Method4. Developing the Specification and Contract Documents5. Seeking, Clarifying and Closing Offers6. Evaluating Offers7. Identifying the Preferred Supplier8. Negotiating the Contract9. Disposals10. Evaluating the procurement processGroup Internal Audit 3-Year IT audit PlanAudit YearIT Audit Name IT Audit Scope IT Audit ObjectivesIT RiskRatingGeneric IT Risk TopicsCovered2011Network Management andIT Security ReviewEvaluate the design, implementation and monitoring of logicalaccess controls to ensure the confidentiality, integrity, availability andauthorised use of information assetsEvaluate network infrastructure security to ensure the confidentiality,integrity, availability and authorised use of the network andinformation transmittedIT continuity plans to reduce the impact of a majordisruption on key business functions existPreventive, detective and corrective measures arein place (especially up-to-date security patches andvirus control) across the organisation to protectinformation systems and technology from malware(e.g., viruses, worms, spyware, spam).MLMalware and LogicalattacksLogical trespassing2011Database ManagementReviewEvaluate data administration practices to ensure the integrity andoptimisation of databasesEvaluate sample of enterprise databasesEnsure management of: security policy; useraccounts and user access; access login andreviewing; disaster recovery plans; logical andphysical access controls for infrastructure;administrative and systemic user access controlsL Data(base) integrity2012IT Project ManagementGovernance FrameworkAuditIT Program ManagementFor a sample of large, medium and small IT projects to review that:IT PM methodology followedCost and performance management are in placeQuality plan exists to deliver benefits to business expectationsImplementations thus far have been managed adequatelyStandards are maintained for all development andacquisition and follow the life cycle of the ultimatedeliverable, and include sign-off at key milestonesbased on agreed-upon sign-off criteria.Measure project performance against key projectperformance scope, schedule, quality, cost and riskcriteria.An implementation and fallback/backout plan existswith approval from relevant parties.HMSoftware implementation,IT project termination andProject delivery & projectqualityIT programme selection2013 IT Operations AuditEvaluate operations management to ensure that IT support functionseffectively meet business needsEvaluate the use of capacity and performance monitoring tools andtechniques to ensure that IT services meet the organisation’sobjectivesPlan the actions to be taken for the period when ITis recovering and resuming services. Managefacilities, including power and communicationsequipment, in line with laws and regulations,technical and business requirements, vendorspecifications, and health and safety guidelines.Define and implement procedures for backup andrestoration of systems, applications, data anddocumentation in line with business requirementsand the continuity plan.LMMLSoftware performanceSystem capacityUtilities performanceInformation media2013Physical andEnvironmental ControlsAuditPhysical ControlsEvaluate the design, implementation and monitoring of physicalcontrols to ensure that information assets are adequatelysafeguardedEnvironmental ControlsEvaluate the design, implementation and monitoring ofenvironmental controls to prevent or minimise lossDefine and implement procedures to grant, limitand revoke access to premises, buildings andareas according to business needsDefine and implement physical security measuresin line with business requirements to secure thelocation and the physical assets.Include background checks in the IT recruitmentprocess and should be applied for employees,contractors and vendors.LLLPhysical andEnvironmentalInfrastructure (hardware)Infrastructure theft anddestruction ofinfrastructure